wordpress blog stats
Connect with us

Hi, what are you looking for?

Explained: The EU-US Data Privacy Framework and How It Approaches US Surveillance of EU Data

The agreement—called an “adequacy decision” in policy terms—is to ensure free and ‘safe’ data transfers between the two regions without additional privacy safeguards.

After years of negotiations, the European Union finally adopted a data flows framework ensuring ‘adequate’ data privacy for European data transferred to the United States on Monday, said a European Commission press release. The EU-US Data Privacy Framework is in force as of July 10th, allowing free and ‘safe’ data transfers between the two regions without additional privacy safeguards.

The move follows 2020’s landmark Schrems II verdict where the EU’s top court struck down transfers between the two countries under “Privacy Shield” over concerns of disproportionate and invasive American surveillance of EU data.

“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” said EU President Ursula von der Leyen yesterday. US President Joe Biden added that “the decision reflects our joint commitment to strong data privacy protections and will create greater economic opportunities for our countries and companies on both sides of the Atlantic”.

What’s the basic structure of the framework? In policy terms, this agreement is called an ‘adequacy decision’. It stems from the EU’s privacy law (the General Data Protection Regulation), which allows data transfers from the EU to countries offering a comparable level of data protection as the EU. This adequacy decision basically applies to data transfers from public and private entities in the European Economic Area to US companies who have signed up to the EU-US Data Privacy Framework.

What are the data privacy safeguards like? US companies can join the framework by committing to various other privacy obligations, such as ensuring data is protected when shared with third parties, and deleting personal data when it is no longer needed.

The decision’s safeguards also stem from the White House’s Executive Order last year on the framework. They include limiting government access to data to whatever is “necessary and proportionate to protect national security”. Intelligence agencies will be monitored carefully to ensure that their surveillance activities are limited.

EU residents also get new rights under the framework—like the right to access their data, and to correct or delete incorrect or “unlawfully handled data”. The adequacy decision also mandates separate and stringent privacy protections for sensitive data (like health data) transferred between the two countries. Companies participating are expected to follow data minimisation practices, while ensuring that the data they have is factually accurate.

Advertisement. Scroll to continue reading.

The US’ safeguards will also apply when EU data is transferred under other mechanisms, like standard contractual clauses or binding corporate clauses.

What if there’s a privacy violation?  The newly-established two-tier complaints mechanism will investigate complaints on the collection and use of their data by American intelligence agencies. Under the two-tier complaints mechanism:

  • A ‘Civil Liberties Protection Officer’ from the US Intelligence will investigate the complaint: They’re otherwise responsible for ensuring US government compliance with privacy and other rights.
  • Decisions can be appealed before the Data Protection Review Court (DPRC): The Court, an independent body comprised of non-US government officials, will review the complaint. The DPRC has powers to access information from US intelligence agencies and to issue binding remedial verdicts. For example, it can order data deletion if it finds that the framework’s safeguards are violated.

Complaints don’t need to demonstrate misuse by intelligence authorities. They can also be submitted to the EU residents’ national data protection authority, who’ll then forward the complaint to the relevant body, or sent to the United States by the European Data Protection Board. EU residents can also avail of free and independent dispute resolution mechanisms, and arbitration too.

What next? The United States Department of Commerce will be administering the framework, while compliance with it will be enforced by the United States’ Federal Trade Commission. The framework’s functioning will also be periodically reviewed by European data protection authorities, the European Commission, and US authorities too. The first review will take place one year into the decision’s implementation.

STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!

Read more

Written By

I'm interested in stories that explore how countries use the law to govern technology—and what this tells us about how they perceive tech and its impacts on society. To chat, for feedback, or to leave a tip: aarathi@medianama.com

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...


Jio is engaging in many of the above practices that CCI has forbidden Google from engaging in.


Is it safe to consider all "publicly available data" as public?


PhonePe launched an e-commerce buyer app for ONDC called Pincode. We, however, believe that it should also launch a seller app.


Amazon announced that it will integrate its logistics network and SmartCommerce services with the Open Network for Digital Commerce (ONDC).

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ